Web 2.0 Means “Security the Max Power Way”

Last week my Yankee Group research report “The Web 2.0 Security Train Wreck” went live on the Yankee website, and is available to our customers. Douglas Crockford, a very smart and informed web application expert at Yahoo, who I interviewed for the report, gave it a generally positive review. I sent him a courtesy copy, as is our practice.

However, he also states that I got some things wrong. If you read his critique, he faults me for not pointing out that there’s not much more broken in Web 2.0 that wasn’t already broken. He is right in the sense that the problems are rooted in well-known anti-patterns — notably, ignorance of good security design. That’s true of “1.0” apps too (and, I point this out).

What is different is that the Web 2.0 architectural style makes it easier and faster to hose yourself than ever before due to the fact that JavaScript is pretty much essential for any significant application.

I am reminded of the Simpsons episode where Homer decides to legally change his name to accelerate his career prospects. He settles on the name “Max Power” because it was on his hairdryer. At the dinner table that night, he lectures Bart:

“Boy, if there’s one thing you should know, it’s this. There’s the right way, the wrong way, and the Max Power way.”

“Uh Dad, isn’t that the wrong way?”

“Yeah son, but FASTER.”

From a security design standpoint, “Web 2.0” is the wrong way, but faster.